You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by rl...@apache.org on 2015/04/01 22:22:19 UTC
ambari git commit: AMBARI-10266. Cannot enable kerberos with Ambari server running non-root (rlevas)

Repository: ambari
Updated Branches:
  refs/heads/trunk 759edd4d3 -> e22b67103


AMBARI-10266. Cannot enable kerberos with Ambari server running non-root (rlevas)


Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/e22b6710
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/e22b6710
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/e22b6710

Branch: refs/heads/trunk
Commit: e22b671035bcaa026f2ce5c3b77e1d49b3c74c73
Parents: 759edd4
Author: Robert Levas <rl...@hortonworks.com>
Authored: Wed Apr 1 16:21:34 2015 -0400
Committer: Robert Levas <rl...@hortonworks.com>
Committed: Wed Apr 1 16:21:34 2015 -0400

----------------------------------------------------------------------
 ambari-server/conf/unix/ambari.properties       |  2 +-
 ambari-server/conf/windows/ambari.properties    |  2 +-
 .../kerberos/CreateKeytabFilesServerAction.java | 23 +++--
 .../CreateKeytabFilesServerActionTest.java      | 91 ++++++++++++++++++++
 4 files changed, 109 insertions(+), 9 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ambari/blob/e22b6710/ambari-server/conf/unix/ambari.properties
----------------------------------------------------------------------
diff --git a/ambari-server/conf/unix/ambari.properties b/ambari-server/conf/unix/ambari.properties
index 44aea5c..eee3bb2 100644
--- a/ambari-server/conf/unix/ambari.properties
+++ b/ambari-server/conf/unix/ambari.properties
@@ -48,7 +48,7 @@ bootstrap.script=/usr/lib/python2.6/site-packages/ambari_server/bootstrap.py
 bootstrap.setup_agent.script=/usr/lib/python2.6/site-packages/ambari_server/setupAgent.py
 recommendations.dir=/var/run/ambari-server/stack-recommendations
 stackadvisor.script=/var/lib/ambari-server/resources/scripts/stack_advisor.py
-server.tmp.dir=/var/lib/ambari-server/tmp
+server.tmp.dir=/var/lib/ambari-server/data/tmp
 ambari.python.wrap=ambari-python-wrap
 
 api.authenticate=true

http://git-wip-us.apache.org/repos/asf/ambari/blob/e22b6710/ambari-server/conf/windows/ambari.properties
----------------------------------------------------------------------
diff --git a/ambari-server/conf/windows/ambari.properties b/ambari-server/conf/windows/ambari.properties
index cfe9c3d..d0fb6dd 100644
--- a/ambari-server/conf/windows/ambari.properties
+++ b/ambari-server/conf/windows/ambari.properties
@@ -55,7 +55,7 @@ kerberos.keytab.cache.dir = data\\cache
 
 recommendations.dir=\\var\\run\\ambari-server\\stack-recommendations
 stackadvisor.script=resources\\scripts\\stack_advisor.py
-server.tmp.dir=\\var\\run\\ambari-server\\tmp
+server.tmp.dir=\\var\\run\\ambari-server\\data\\tmp
 views.dir=resources\\views
 ambari.python.wrap=python.exe
 

http://git-wip-us.apache.org/repos/asf/ambari/blob/e22b6710/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreateKeytabFilesServerAction.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreateKeytabFilesServerAction.java b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreateKeytabFilesServerAction.java
index a1ff364..5e8b451 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreateKeytabFilesServerAction.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreateKeytabFilesServerAction.java
@@ -353,7 +353,6 @@ public class CreateKeytabFilesServerAction extends KerberosServerAction {
 
     try {
       keytab.write(cachedKeytabFile);
-      ensureAmbariOnlyAccess(cachedKeytabFile);
     } catch (IOException e) {
       String message = String.format("Failed to write the keytab for %s to the cache location (%s)",
           principal, cachedKeytabFile.getAbsolutePath());
@@ -361,6 +360,8 @@ public class CreateKeytabFilesServerAction extends KerberosServerAction {
       throw new AmbariException(message, e);
     }
 
+    ensureAmbariOnlyAccess(cachedKeytabFile);
+
     return cachedKeytabFile;
   }
 
@@ -370,23 +371,31 @@ public class CreateKeytabFilesServerAction extends KerberosServerAction {
    *
    * @param file the file or directory for which to modify access
    */
-  private void ensureAmbariOnlyAccess(File file) {
+  protected void ensureAmbariOnlyAccess(File file) throws AmbariException {
     if (file.exists()) {
       if (!file.setReadable(false, false) || !file.setReadable(true, true)) {
-        LOG.warn(String.format("Failed to set %s readable only by Ambari", file.getAbsolutePath()));
+        String message = String.format("Failed to set %s readable only by Ambari", file.getAbsolutePath());
+        LOG.warn(message);
+        throw new AmbariException(message);
       }
 
       if (!file.setWritable(false, false) || !file.setWritable(true, true)) {
-        LOG.warn(String.format("Failed to set %s writable only by Ambari", file.getAbsolutePath()));
+        String message = String.format("Failed to set %s writable only by Ambari", file.getAbsolutePath());
+        LOG.warn(message);
+        throw new AmbariException(message);
       }
 
       if (file.isDirectory()) {
-        if (!file.setExecutable(false, false) && !file.setExecutable(true, true)) {
-          LOG.warn(String.format("Failed to set %s executable by Ambari", file.getAbsolutePath()));
+        if (!file.setExecutable(false, false) || !file.setExecutable(true, true)) {
+          String message = String.format("Failed to set %s executable by Ambari", file.getAbsolutePath());
+          LOG.warn(message);
+          throw new AmbariException(message);
         }
       } else {
         if (!file.setExecutable(false, false)) {
-          LOG.warn(String.format("Failed to set %s not executable", file.getAbsolutePath()));
+          String message = String.format("Failed to set %s not executable", file.getAbsolutePath());
+          LOG.warn(message);
+          throw new AmbariException(message);
         }
       }
     }

http://git-wip-us.apache.org/repos/asf/ambari/blob/e22b6710/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/CreateKeytabFilesServerActionTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/CreateKeytabFilesServerActionTest.java b/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/CreateKeytabFilesServerActionTest.java
new file mode 100644
index 0000000..d2252a9
--- /dev/null
+++ b/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/CreateKeytabFilesServerActionTest.java
@@ -0,0 +1,91 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ambari.server.serveraction.kerberos;
+
+import junit.framework.Assert;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.TemporaryFolder;
+
+import java.io.File;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.nio.file.attribute.PosixFilePermission;
+import java.util.Set;
+
+public class CreateKeytabFilesServerActionTest {
+
+  @Rule
+  public TemporaryFolder testFolder = new TemporaryFolder();
+
+  @Test
+  public void testEnsureAmbariOnlyAccess() throws Exception {
+    Path path;
+    Set<PosixFilePermission> permissions;
+
+    File directory = testFolder.newFolder();
+    Assert.assertNotNull(directory);
+
+    new CreateKeytabFilesServerAction().ensureAmbariOnlyAccess(directory);
+
+    // The directory is expected to have the following permissions: rwx------ (700)
+    path = Paths.get(directory.getAbsolutePath());
+    Assert.assertNotNull(path);
+
+    permissions = Files.getPosixFilePermissions(path);
+    Assert.assertNotNull(permissions);
+
+    Assert.assertNotNull(permissions);
+    Assert.assertEquals(3, permissions.size());
+    Assert.assertTrue(permissions.contains(PosixFilePermission.OWNER_READ));
+    Assert.assertTrue(permissions.contains(PosixFilePermission.OWNER_WRITE));
+    Assert.assertTrue(permissions.contains(PosixFilePermission.OWNER_EXECUTE));
+    Assert.assertFalse(permissions.contains(PosixFilePermission.GROUP_READ));
+    Assert.assertFalse(permissions.contains(PosixFilePermission.GROUP_WRITE));
+    Assert.assertFalse(permissions.contains(PosixFilePermission.GROUP_EXECUTE));
+    Assert.assertFalse(permissions.contains(PosixFilePermission.OTHERS_READ));
+    Assert.assertFalse(permissions.contains(PosixFilePermission.OTHERS_WRITE));
+    Assert.assertFalse(permissions.contains(PosixFilePermission.OTHERS_EXECUTE));
+
+    File file = File.createTempFile("temp_", "", directory);
+    Assert.assertNotNull(file);
+    Assert.assertTrue(file.exists());
+
+    new CreateKeytabFilesServerAction().ensureAmbariOnlyAccess(file);
+
+    // The file is expected to have the following permissions: rw------- (600)
+    path = Paths.get(file.getAbsolutePath());
+    Assert.assertNotNull(path);
+
+    permissions = Files.getPosixFilePermissions(path);
+    Assert.assertNotNull(permissions);
+
+    Assert.assertEquals(2, permissions.size());
+    Assert.assertTrue(permissions.contains(PosixFilePermission.OWNER_READ));
+    Assert.assertTrue(permissions.contains(PosixFilePermission.OWNER_WRITE));
+    Assert.assertFalse(permissions.contains(PosixFilePermission.OWNER_EXECUTE));
+    Assert.assertFalse(permissions.contains(PosixFilePermission.GROUP_READ));
+    Assert.assertFalse(permissions.contains(PosixFilePermission.GROUP_WRITE));
+    Assert.assertFalse(permissions.contains(PosixFilePermission.GROUP_EXECUTE));
+    Assert.assertFalse(permissions.contains(PosixFilePermission.OTHERS_READ));
+    Assert.assertFalse(permissions.contains(PosixFilePermission.OTHERS_WRITE));
+    Assert.assertFalse(permissions.contains(PosixFilePermission.OTHERS_EXECUTE));
+  }
+}
\ No newline at end of file